Follow the 8 Rules of Fight Club: Protect Against Advanced Threats

Advanced threats can quickly lead to knockouts when organizations are not prepared.

Category

Intelligence

Incident Response and Management

October 09, 2015By Dell SecureWorks

Follow these eight rules to ensure you are ready for any cyber ring match.

1) You do not talk about fight club...

Your executive wants updates on the status of the advanced threat in your Network.

What NOT to do: Send an email as soon as possible with a summary to your management.

What to do: Use out of band communication instead of relying on your compromised infrastructure. Threat actors are IN your environment….they can see what you say about them. They can screen shot what you are talking about….and will adjust their intrusion tactics.

2) You DO NOT talk about the fight...until it is over

You found the threat group. Your security team is proud and wants to spread the word.

What NOT to do: Share your findings publicly to enhance public perception through marketing buzz.

What to do: Don’t publicly share any information until the fight is completely over. Threat groups are monitoring the Internet for any information that will help them hone, tweak, and enhance their tactics to avoid detection.

3) Someone yells stop, goes limp, taps out, the fight is over

You evict the threat actors - things seem to be quiet and calm.

What NOT to do: Go back to normal business. The fight was won and all threats are no longer a risk to your business.

What to do: It is important to always monitor for re-entry attempts. Threat groups are often persistent . Many times they are willing to stay quiet, play dead and hope that you won’t suspect a revisit. But they will come back....with a vengeance.

4) Only 2 guys to a fight...

Your organization may be collateral damage. You are a victim of a security breach.

What NOT to do: Assume that the threat group’s intent was to steal your company’s sensitive data.

What to do: It is important to understand the intent of the threat group to better prepare for the appropriate steps to defend against them. Your company could be collateral damage from a threat group targeting someone or something different that is linked or adjacent to your organization.

5) One fight at a time, fellas

You investigate and learn that there are multiple threat groups inside your network.

What NOT to do: Apply the same remediation tactics to all of the observed threat groups.

What to do: Tailoring your response with different operating procedures leads to a more effective eviction. A "one size fits all" approach to the eradication and eviction process doesn’t address the uniqueness of each threat group.

6) No shirt, No shoes, No RATs

You assume that an adversary will access your environment using a remote access tool.

What NOT to do: Rely on your existing technology to monitor for malware.

What to do: It is important to monitor for anomalous user activity. Many times threat actors leverage legitimate remote access solutions to gain access to the environment. This makes detecting malicious activity much more difficult because the adversary is masquerading as a legitimate user.

7) The fight will go as long as it has to...

The threat actor was in and out without you even knowing it. The damage was done by the time you tried to respond. The fight is already over.

What NOT to do: Panic and assume the adversary is still operating in your environment.

What to do: It is important to scope the activity to understand at what point in the fight you are getting involved. Your response will change based on whether the fight just started, has ended, or is ongoing.

8) If this is your first night at fight club, you have to fight

You are under attack by an advanced threat actor.

What NOT to do: Assume that your normal mitigation plan will be effective.

What to do: It is better to act with urgency and fight rather than assume traditional security controls will keep you safe. You may just be seeing the tip of the iceberg.